Risky Business Podcast

In this week's feature interview we're chatting with reverse engineer Jonathan Brossard about the theft of VMware source code from a third party. Lulzsec-linked hax0rs have owned up around 300mb of VMWare source and they say they're dropping it on May 5.

We believe them.

Predictably, VMware says it's no big deal, but Jonathan says that line is basically horseshit. He'll be joining us to tell us why.

Jonathan is the CEO of Toucan Systems and an organiser of Hackito Ergo Sum.

In this week's sponsor interview we're chatting with Adobe Software's product security chief Mr. Brad Arkin.

He'll be bringing us up to speed on what he's been up to over the last four weeks or so, and boy, has he been busy. They've been releasing silent auto-updaters for Flash player, open source malware triage tools, making major updates to Adobe Reader 9 for the poor souls who are unable to upgrade to 10; all sorts of good stuff.

Adam Boileau, as usual, joins the show for the week's news.

***EDITOR'S NOTE: There was a small error in this week's introduction script to the sponsor interview. Changes were made to Adobe Reader 9. The introduction script mistakenly said Adobe had introduced changes to Flash Player 9.

We've got a jam-packed show this week! We'll be hearing from Ruxcon organiser Chris Spencer about a new conference he's putting together. It's called BreakPoint and he's trying to establish it as a truly international conference.

We'll also be chatting with Mark Dowd about his, shall we say, more interesting vulnerability disclosure practices.

And in this week's sponsor interview we're chatting with RSA Security's Ian Farqhuar about BYOD -- bring your own devices. He says it's possible to spin the BYOD phenomenon into a security positive, basically because you now have an excuse to treat all your endpoints as hostile. It makes sense.

Adam Boileau, as usual, joins us for the week's news headlines.

*********When I initially posted this episode I linked through to the wrong mp3.

Fixed now!

On this week's show we're taking a look at new laws in the United Kingdom that are designed to automate the collection of certain types of intelligence from telcos and ISPs.

The information itself has previously been accessible without warrant by UK intelligence agencies, but now they'll be able to bring up the data with a few keystrokes in real time.

That simple change could result in grave invasions of privacy, according to this week's guest, Roelof Temmingh of , the makers of Maltego.

Also this week Chris Gatford of HackLabs drops by for this week's sponsor interview. In it we discuss some statistics he's cobbled together from HackLabs last 100 or so penetration tests. They're not so much surprising as, you know, depressing.

Adam Boileau, as always, is along to discuss this week's news. And this, spectacular fail.

On this week's show Adam Boileau and Patrick Gray talk through the week's security news headlines, including:

• Up to 500,000 Macs pwned by the Flashback Trojan
• Auto-updater finally out for Flash
• UK proposes completely stupid laws
• 1.5m credit card numbers looted
• Zeus still active after MS takedown

Tenable Network Security CSO Marcus Ranum stops by for this week's sponsor segment. Big thanks for Tenable for making this week's show possible!

This week we talk to CommsDay founder and publisher Grahame Lynch about the Australian Government's decision to ban Chinese Networking vendor Huawei from supplying equipment to the National Broadband Network.

The government says it will block Huawei's participation in the rollout of the $36 billion network on security grounds following a negative assessment by Australian spy agency ASIO. Read Grahame's take here.

Is this a decision that really makes sense from a pure political point of view? Or could there be some political considerations at play here? Grahame clues us in.

This week's show is brought to you by Adobe. Adobe's head of product security Brad Arkin is along in this week's show to talk about its new open source tool that helps incident responders pull apart suspicious flash objects.

Don't forget you can 'like' the Risky Business podcast on Facebook, if that's your thing, or follow Patrick Gray on Twitter.

Also this week, SC Magazine Australia's editor Darren "Dazza" Pauli joins us to discuss the week's news headlines. He's filling in for Adam Boileau who's off having his beard permed and dyed.

This week's feature interview is a chat with Verizon Business Security Solutions' Bryan Sartin about the annual Data Breach Investigations Report, or DBIR.

Risky Business covers the report [pdf] every year.

It's basically a post mortem of the previous year -- what sort of records were breached and by who? What were their motivations? What were their techniques?

The US Secret Service cooperates with the report, as does Australia's own Federal Police. When you throw in Verizon's own caseload, you wind up with something approaching an authoritative report. It's rare for a vendor to actually put out something this good.

The 2012 report, which focuses on 2011 incidents, arrived at a very interesting conclusion -- in 2011, more records were breached by hacktivists than criminals.

In this week's sponsor interview we chat with RSA Australia's acting country manager Geoff Noble. Geoff normally heads up sales, but don't hold that against him, because as you'll hear he's actually got a deep understanding of trends in enterprise security.

I got Geoff on the phone earlier this week and asked him to tell us what trends emerged at the most recent RSA conference in San Francisco.

This week's feature interview is with Alastiar MacGibbon, CEO of CREST Australia -- the Council of Registered Ethical Security Testers.

In the UK CREST is a big deal, and now it's on its way to Australia and NZ. There's even a similar organisation in the USA that is doing things the CREST way. So this approach could actually become a worldwide, accepted accreditation for security testers.

I know one extremely capable tester who flew over to the UK to take the CREST tests and wound up flunking the team leader portion of one of them, so it's not your typical rubber stamp.

But! With such a lack of talented security testers out there, it seems possible from where I sit that CREST may have to lower its standards to get enough people certified. And security is such a fast moving discipline -- how will we ensure that CREST certified testers have current skills?

That's this week's feature.

Adam Boileau, as always, stops by to chat about this week's news headlines.

On this week's show we're catching up with Mr. Popular himself, Adrian Lamo.

Adrian is best known as the guy who turned in alleged Wikileaks source Bradley Manning, but he also has some very interesting perspectives on the LulzSec arrests.

This week's show is sponsored by Tenable Network Security! In this week's sponsor interview Tenable product Manager Jack Daniel will be along to chat about a recent Tenable Webinar that was all about the internal politics of security. If you're struggling to get your colleagues on side, you want to listen to that interview!

Adam Boileau, as always, joins the show to discuss the week's news.

This week we'll be joined by Wired.com's news editor Kevin Poulsen for a chat about the big news of the week -- Wikileaks' gigantic dump of private intelligence contractor STRATFOR's allegedly stolen e-mails.

This week's show is sponsored by Adobe, and Adobe's head of product security, Brad Arkin, will be along to discuss the way ISV's view white-hat research. You might love your latest sandbox bypass technique, but he doesn't! That's this week's sponsor interview with Adobe's Brad Arkin.

As always, Adam Boileau stops by for a check of the week's news headlines.

In this week's feature interview you'll hear part two of my interview with In-Q-Tel's CSO Dan Geer. We chat with Dan about electronic surveillance, the state, fascism and even the "digital Amish".

He is, as always, fascinating.

This week's edition of the show is brought to you by Hacklabs, an Australian penetration testing firm. Some homegrown support! Thanks, guys.

Hacklabs very own Chris Gatford will be along in this week's sponsor interview to have a chat about Glenn Mangham, the Brit who's now serving a prison term for hacking Facebook despite his claim to be all very, very white-hatty.

Adam Boileau, as always, checks in to discuss the week's news headlines.